The necessity of a SIEM for organizations and their security teams has evolved dramatically over time. It has gone from edge use cases and compliance to the current form of threat detection, incident response, and threat hunting.
As the use cases have changed, so has the architecture. As a result, organizations that have been quite familiar with running their SIEM on-premises are now looking for modern architectures to reduce the workload on their analysts.
The simple choice: SaaS, of course.
But not all SaaS SIEMs are created equal. Some are cloud-hosted while others are cloud-native. Potato, po-tah-to. Is there really a difference? You bet there is.
Let’s look at the telltale signs that you’re using a cloud-hosted — not a cloud-native — SIEM?
1. You know exactly how much hardware is running.
So, you’ve bought your SIEM, begun using it, and you’re excited to start threat hunting. Unfortunately, a DDoS attack hits your network. A burst of network traffic floods your SIEM’s ingestion pipelines. Data is lost. Search performance grinds to a halt. You examine why and realize your cloud-hosted SIEM has just five indexing nodes. You call support and learn the turnaround time to scale up your cloud-hosted SIEM will take at least one day. Not the ideal outcome.
Cloud-native SIEMs eliminate these all-too-typical cloud-hosted issues by committing to performance and autoscaling to meet demand.
2. Data parsing is mainly your responsibility.
Do you know what’s worse than regex? Take a moment… umm… err… Surely there is something. Nope! Nothing! There is nothing worse than having to write regex. There, I said it!
Regex — or any other data parsing method — is very challenging for the SOC analyst to master. A cloud-hosted SIEM assumes that people have plenty of time to be twiddling their thumbs on regex101, working out why there are 7,000 backtracks in their regex. What a waste of time! Your analysts absolutely should not have to waste their time on that. Cloud-native SIEM vendors provide global parsing, which enables you to think less about the data when sending it over the wire — and that makes it seamless to onboard data.
As a result, your analysts spend more time hunting, not data wrangling.
3. You need to install integrations, add-ons, and custom apps to derive value from your data.
This is related to point two. If you need a Ph.D. in apps, add-ons or integrations to derive value from your SIEM, that’s a sure sign you’re using a cloud-hosted SIEM. With the staffing challenges SOCs face, there is no time to waste studying which apps and add-ons are required. Organizations typically use apps and add-ons to enhance the functionality of a technology when there is a gap in product features.
Cloud-native technologies take into consideration analysts’ workflows and integrate the needed functionality into the product. For example, toolsets and functionality, such as CyberChef, memory forensics, sandboxing, and advanced search functionality ,such as the Levenshtein algorithm or domain parsing, are embedded in cloud-native technologies, not added on.
4. Real-time search is disabled by default or not recommended for production use cases (lol)
You have invested in a SOAR solution and want to reduce your mean time to respond/contain. You analyze your SIEM workflow and realize that most of your scheduled detections trigger at every thirty-minute to one-hour interval. Deployed due to hardware constraints and search performance issues. Sense a theme here? The only person scheduled searches favor is your adversary, not your SOC operation!
Cloud-native SIEMs ensure that you improve your MTTR/C by allowing you to run the searches you need in real time, without any strings attached. DEVOstating your adversary, not your search performance (Dad pun was required)!
5. Additional functionality comes at a cost and/or requires separate infrastructure/login interfaces
So, you’re at a new burger joint looking up at the menu, choosing what you will order, and you decide to go with the burger. You take your ticket, sit down at the table and wait. Time passes, and your order finally comes out, and to your surprise, you are given just the bun. You walk up and ask the person why you only received a bun and are told that you didn’t order the extra components. Sound familiar?
Cloud-hosted SIEMs will give you the bun without any sauce and tell you, “that wasn’t included.” Fortunately, that’s not the model cloud-native technologies follow, which is to provide an all-inclusive license. Devo has a single license metric — data volume. With that, you get ServiceOps, our AIOps app, SecOps, our SIEM/Threat Hunting app, and Devo Flow, our automation engine. Oh, and all of that comes with 400 days of always-hot data.
So, the next time you’re evaluating the market and see the words “SaaS” SIEM, ask yourself: Is it cloud-hosted or cloud-native? There’s a huge difference!